Increased Truebot Activity Infects U.S. and Canada Based Networks

Fortify Security Team
Sep 28, 2024

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) are releasing this joint Cybersecurity Advisory (CSA) in response to cyber threat actors leveraging newly identified Truebot malware variants against organizations in the United States and Canada. As recently as May 31, 2023, the authoring organizations have observed an increase in cyber threat actors using new malware variants of Truebot (also known as Silence.Downloader). Truebot is a botnet that has been used by malicious cyber groups like CL0P Ransomware Gang to collect and exfiltrate information from its target victims.

Previous Truebot malware variants were primarily delivered by cyber threat actors via malicious phishing email attachments; however, newer versions allow cyber threat actors to also gain initial access through exploiting CVE-2022-31199—(a remote code execution vulnerability in the Netwrix Auditor application), enabling deployment of the malware at scale within the compromised environment. Based on confirmation from open-source reporting and analytical findings of Truebot variants, the authoring organizations assess cyber threat actors are leveraging both phishing campaigns with malicious redirect hyperlinks and CVE-2022-31199 to deliver new Truebot malware variants.

Read the associated Malware Analysis Report: MAR-10445155-1.v1 Truebot Activity Infects U.S. and Canada Based Networks
For a downloadable copy of IOCs in .xml and .json format, see:

Associated Delivery Vectors and Tools

Truebot has been observed in association with the following delivery vectors and tools:

Raspberry Robin (Malware)

Raspberry Robin is a wormable malware with links to other malware families and various infection methods, including installation via USB drive [T1091].[5] Raspberry Robin has evolved into one of the largest malware distribution platforms and has been observed deploying Truebot, as well as other post-compromise payloads such as IcedID and Bumblebee malware. With the recent shift in Truebot delivery methods from malicious emails to the exploitation of CVE-2022-31199, a large number of Raspberry Robin infections have leveraged this exploitable CVE.

Flawed Grace (Malware)

FlawedGrace is a remote access tool (RAT) that can receive incoming commands [T1059] from a C2 server sent over a custom binary protocol [T1095] using port 443 to deploy additional tools [T1105]. Truebot malware has been observed leveraging (and dropping) FlawedGrace via phishing
campaigns as an additional payload [T1566.002]. Note: FlawedGrace is typically deployed minutes after Truebot malware is executed.

Cobalt Strike (Tool)

Cobalt Strike is a popular remote access tool (RAT) that cyber threat actors have leveraged—in an observable manner—for a variety of post-exploitation means. Typically a few hours after Truebot’s execution phase, cyber threat actors have been observed deploying additional payloads containing Cobalt Strike beacons for persistence and data exfiltration purposes [T1059]. Cyber threat actors use Cobalt Strike to move laterally via remote service session hijacking [T1563.001][T1563.002], collecting valid credentials through LSASS memory credential dumping, or creating local admin accounts to achieve pass the hash alternate authentication [T1003.001][T1550.002].

Teleport (Tool)

Cyber threat actors have been observed using a custom data exfiltration tool, which Talos has named “Teleport.”[2] Teleport is known to evade detection  during data exfiltration by using an encryption key hardcoded in the binary and a custom communication protocol [T1095] that encrypts data using advanced encryption standard (AES) and a hardcoded key [T1048][T1573.002]. Furthermore, to maintain its stealth, Teleport limits the data it collects and syncs with outbound organizational data/network traffic [T1029][T1030].

Truebot Malware Indicators of Compromise (IOCs)

Truebot IOCs from May 31, 2023, contain IOCs from cyber threat actors conducting Truebot malspam campaigns. Information is derived from a trusted third party, they observed cyber threat actors from 193.3.19[.]173 (Russia) using a compromised local account to conduct phishing campaigns on May 23, 2023 and spread malware through: https[:]//snowboardspecs[.]com/nae9v, which then promptly redirects the user to: https://www.meditimespharma[.]com/gfghthq/, which a trusted third party has linked to other trending Truebot activity.

After redirecting to https://www.meditimespharma[.]com/gfghthq/, trusted third parties have observed, the cyber threat actors using Truebot to pivot to https://corporacionhardsoft[.]com/images/2/Document_16654.exe, which is a domain associated with snowboardspecs[.]com. This malicious domain has been linked to UNC4509, a threat cluster that has been known to use traffic distribution systems (TDS) to redirect users to either a benign or malicious website to facilitate their malicious phishing campaigns in May 2023.

According to trusted third parties, the MD5 Hash: 6164e9d297d29aa8682971259da06848 is downloaded from https://corporacionhardsoft.com/images/2/Document_16654[.]exe and has been flagged by numerous security vendors, as well as is linked to UNC4509 Truebot campaigns. Note: These IOCs are associated with Truebot campaigns used by Graceful Spider to deliver FlawedGrace and LummaStealer payloads in May of 2023.

After Truebot is downloaded, the malware copies itself to C:\Intel\RuntimeBroker.exe and—based on trusted third party analysis—is linked to https://essadonio.com/538332[.]php (which is linked to 45.182.189[.]71 (Panama) and is associated with other trending Truebot malware campaigns from May 2023).

 

Recent Posts

BlackCat/ALPHV Ransomware IOCs

As of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and...

IOCs Associated with Ranzy Locker Ransomware

The FBI first identified Ranzy Locker ransomware in late 2020 when the variant began to target victims in the United States. Unknown cyber criminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021. The victims include the...

Conti Ransomware

While Conti is considered a ransomware-as-a-service (RaaS) model ransomware variant, there is variation in its structure that differentiates it from a typical affiliate model. It is likely that Conti developers pay the deployer's of the ransomware a wage rather than a...

Conti Ransomware

While Conti is considered a ransomware-as-a-service (RaaS) model ransomware variant, there is variation in its structure that differentiates it from a typical affiliate model. It is likely that Conti developers pay the deployer's of the ransomware a wage rather than a...

BlackMatter Ransomware

This advisory provides information on cyber actor tactics, techniques, and procedures (TTPs) obtained from a sample of BlackMatter ransomware analyzed in a sandbox environment as well from trusted third-party reporting. Using embedded, previously compromised...

Indicators of Compromise Associated with IcedID

FBI reporting has indicated a recent increase in IcedID malware acting as a “dropper,” infecting victims with additional malware. Examples of ransomware variants dropped by IcedID include Defray777, GlobeImposter, Cuba, Conti, and REvil (aka Sodinokibi). First...